An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

On June 8, 2021, the White House published a set of reports on the 100-day interagency reviews (“Reports”) conducted pursuant to Executive Order 14017 (“Supply Chain EO”), which assessed supply chain risks and vulnerabilities for several supply chains, including those relating to semiconductor manufacturing and advanced packaging, and made policy recommendations to address those risks.

The Reports suggest that export controls on semiconductor-related equipment and technology can help protect the technological advantage of the United States in semiconductors by limiting the export of items that would contribute to the development of advanced semiconductor capabilities in countries of concern.  In particular, the Reports recommend that the US government:

  • Target and implement export controls that can support policy actions to identify and address vulnerabilities in the semiconductor manufacturing and advanced packaging supply chain;
  • Target and implement export controls on critical semiconductor equipment and technologies to address supply chain vulnerabilities; and
  • Collaborate and coordinate with key supplier allies and partners on effective multilateral controls.

The recommendations are broadly scoped, and the Reports do not recommend or preview more specific export controls that the US government might implement itself, or develop with its allies or partners.  However, the Reports are suggestive of several categories of items that might be targeted with enhanced export controls (e.g., additional export licensing requirements based on particular export control classification numbers).  In particular, the Reports identify significant competitive advantages enjoyed by US-based providers of electronic design automation tools and semiconductor intellectual property cores at the semiconductor design stage.  At the manufacturing stage, the Reports identify US strengths in the production of front-end semiconductor manufacturing equipment (e.g., etching, doping, deposition, and polishing or chemical mechanical planarization) and back-end testing equipment.  Companies that export such items will want to closely monitor any potential export control-related developments.

Key Takeaways

  1. The Reports recommend that the US government target and implement export controls on semiconductor-related equipment and technologies.
  2. Companies that export semiconductor-related equipment and technologies from the United States should monitor any potential export control-related development that follow from the Reports.
  3. Non-US companies that transfer semiconductor-related equipment and technologies to China may need to consider the potential impact of heightened multilateral controls on their business.

The post United States: Biden Administration Supply Chain Reports Deeper Dive #3: White House 100-Day Review of Semiconductor and Advanced Packaging Supply Chain Recommends Strengthening Export Control appeared first on Global Compliance News.


So much for darkened servers at the headquarters of DarkSide or REvil ransomware groups. Turns out, we’ve got either their rebranded versions or two new ransomware gangs to contend with. The first new group to appear this month was Haron, and the second is named BlackMatter. As Ars Technica‘s Dan Goodin points out, there may be more still out there. They’re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They’re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure, nonprofits, etc. BlackMatter also promised free decryption if its affiliates screw up and kill kittens or freeze files at, say, pipeline companies, as happened when Colonial Pipeline was attacked by DarkSide in May. Haron & Its Cut-and-Paste Ransom Note The first sample of the Haron malware was submitted to VirusTotal on July 19. Three days later, the South Korean security firm S2W Lab reported on the group in a post that laid out similarities between Haron and Avaddon. Avaddon is yet another prolific ransomware-as-a-service (RaaS) provider that evaporated in June rather than face the legal heat that followed Colonial Pipeline and other big ransomware attacks. At the time, Avaddon released its decryption keys to BleepingComputer – 2,934 in total – with each key belonging to an individual victim. According to law enforcement, the average extortion fee Avaddon demanded was about $40,000, meaning the…


Researchers will release a reboot of a controversial tool that crawls the web to identify back-end vulnerabilities in websites in the hopes that companies will quickly fix them and reduce security risks. However, experts have mixed feelings about the tool called PunkSpider, created by the analytics firm QOMPLX. They fear the tool could be hijacked by hackers to exploit vulnerabilities before companies have time to patch them. Alejandro Caceres, director of computer network exploitation at QOMPLX, and hacker Jason Hopper will introduce a revamped version of PunkSpider at the upcoming DEF CON gathering next week. QOMPLX cited the rise of ransomware as one of the reasons for a reboot of PunkSpider, which provides “a simple and massively scalable monitoring tool that quickly identifies gaps in collective defenses by highlighting which websites can easily fall prey to attackers,” according to a press release. The tool can provide internet users and the cyber community a “shared perspective” on the specific dangers of the web, the company said. “We want everyone to be able to answer a simple question: how dangerous is the internet I use?” said Jason Crabtree, CEO of QOMPLX, said in a press statement “Our extensive research revealed a large but unfortunately not surprising number of basic vulnerabilities across the web. The common exploits that PunkSpider detects serve as a key proxy for risk overall, and frankly if website owners are not fixing the fundamentals it’s unlikely…


This week, Microsoft rushed out a fix for a Windows NT LAN Manager exploit dubbed “PetitPotam” that forces remote Windows systems to reveal password hashes that can be easily cracked. The frenzy begs the question: Why is securing Microsoft Active Directory (AD) such a nightmare? When security researcher Gilles Lionel first identified the bug last week, he also published proof-of-concept (PoC) exploit code to demonstrate the attack. The PoC demonstrated how a PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services (AD CS), which provides public key infrastructure (PKI) functionality. Attack paths in AD are a huge issue for enterprises. It’s not just PetitPotam; AD was also part of the problem during the SolarWinds attacks. SpecterOps researchers Lee Christensen and Will Schroeder, who recently published a report on abusing AD CS titled Certified Pre-Owned (PDF) that they’ll also be doing a session on at Black Hat next week, are trying to get the security community to think about the AD problem in terms of “misconfiguration debt”: as in, incremental misconfigurations that build up over time, such that attackers are virtually guaranteed to find an attack path to their objective on any network. It’s a serious situation. AD is used by over 90 percent of the Fortune 1000 for identity and access management. Organizations need solutions that can simplify protection: solutions that can cut through the haze to gain better visibility…


Welcome to our Virtual Global Trade Conference, a virtual offering for all our clients and friends worldwide. Baker McKenzie’s international trade compliance lawyers from around the world discussed the major developments impacting international trade, in nine one-hour sessions which took place from 13 to 15 July 2021.

Session 1: Overview & Trade Policy Landscape

Speakers: John Rood (Former U.S. Under Secretary of Defense for Policy), John McKenzie, Rod Hunter, Sunny Mann, Pablo Bentes

Topics discussed:

  • Globalization in an era of geopolitics
  • Biden Administration trade policy 6 months in
  • CFIUS and international foreign investment regulation developments
  • The evolving foreign investment regime landscape
  • World Trade Organization: Prospects and Key Priorities
  • America’s Supply Chain Focus: Supply Chain Executive Order, ICTS Executive Order, NDAA s. 889 and Buy American initiatives

Session 2: Export Control Developments

Speakers: Janet Kim, Paul Amberg, Alex Lamy, Alison Stafford Powell, Ben Smith

Topics discussed:

  • Emerging and foundational technologies: implementation of the mandate of the ECRA
  • New military and military intelligence end-user/military end-use export control requirements
  • Huawei-specific “foreign direct product” rule and related licensing for 5G
  • BIS Entity List proliferation and implications
  • Hong Kong: Update on the implications of the changed status of Hong Kong
  • European and UK export control developments
    • Implications of BREXIT and divergence of regulatory approaches and requirements
    • New UK guidance on technology exports, cloud computing and remote access
  • Encryption amendments and Wassenaar Amendments implementation

Session 3: Economic Sanctions

Speakers: Alison Stafford Powell, Alex Lamy, Ben Smith, Kerry Contini, Sylwia Lis

Topics discussed:

  • Burma/Myanmar
  • Iran – Prospects for US rejoining the JCPOA
  • Russia
    • Major new Russia-focused sanctions authorities for Specified Harmful Foreign Activities
    • NordStream II
    • CBW sanctions
    • Implications of designation of the FSB as a NPWMD sanctioned party
    • European sanctions
    • Russian response
  • Venezuela
  • Belarus
  • EU/UK Sanctions developments and prospects post-BREXIT
  • New UK global anti-corruption sanctions

Session 4: Spotlight on China Trade Developments – Part 1

Speakers: Alison Stafford Powell, Kerry Contini, Aleesha Fowler, Eunkyung Kim Shin, Andrew Rose

Topics discussed:

  • Sanctions against China
    • China-related Entity List Sanctions
    • OFAC sanctions programs used against China
    • Investment Restrictions in certain Chinese Military Companies – EO 13959 and EO 14032
    • Hong Kong Autonomy Act implementation
    • European Union, UK sanctions against China
  • Trade compliance and ESG Risks and mitigation in China-related supply chains
    • State Department Advisory
    • CBP withhold release orders
    • Modern Slavery and Human Trafficking Laws
    • California Transparency in Supply Chains Act
    • Section 307 of the Tariff Act and CAATSA provisions on North Korean labor
  • Semiconductor and Advanced Packaging initiative (BIS)

Session 5: Spotlight on China Trade Developments – Part 2

Speakers: John McKenzie, Ivy Tan, Weng Keong Kok, Vivian Wu, Iris Zhang

Topics discussed:

  • Implementation of the Chinese export control law
  • MOFCOM’s new export control compliance program guidelines
  • China’s Encryption Law and Announcement 63: import and export restrictions
  • MOFCOM’s Order No. 4: Implementing China’s Unreliable Entity List System
  • MOFCOM’s “Blocking” Regulation: Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures and China’s response to US and foreign sanctions
  • Implementation of China’s National Security Law in Hong Kong
  • Status and Prospects for the U.S.-China Phase One Trade Agreement

Session 6: Import and Customs Developments

Speakers: John McKenzie, Alison Stafford Powell, Christine Streatfeild, Gene Tien

Topics discussed:

  • Customs Valuation
  • First sale and the CIT decision in U.S. v. Meyer
  • Transfer pricing and customs valuation
  • Section 301 Developments
  • Challenge to China lists 3-4: HMTX case status
  • The Ireland/Northern Ireland Border Issue
  • USTR product exclusion procedures
  • Country of origin analysis (USMCA and “products of China” for section 301 purposes)
  • Digital Services Tax Developments and Section 301 investigations
  • ICTS – Developments Towards Protecting the Information and Communications Technology and Services Supply Chain (EO 13873) and Protecting American’s Sensitive Data (EO 14034)

Session 7: Export Control and Economic Sanctions Enforcement

Speakers: Alison Stafford Powell, Terry Gilroy, Jess Nall, Helena Engfeldt, Tristan Grimmer, Sam Kramer

Topics discussed:

  • Leading Cases: Lessons Learned
  • Export Control and Economic Sanctions Enforcement Trends
  • Expectations of Regulatory Authorities (DoJ, OFAC, OEE)
  • Ransomware – Trade compliance and data privacy issues in ransomware attacks
  • Focus on cryptocurrency and blockchain issues in sanctions compliance cases

Session 8: Trade Agreements Developments

Speakers: John McKenzie, Adriana Ibarra-Fernandez, Paul Burns, Jenny Revis, Ivy Tan

Topics discussed:

  • USMCA: What we have learned in the past 18 months
  • Comprehensive Pacific Partnership: Prospects for US participation
  • The challenge of the Regional Comprehensive Economic Partnership (RCEP)
  • Prospects for a US− UK Free Trade Agreement
  • European Union − UK Free Trade Agreement
  • Various UK trade agreement initiatives
  • Transpacific Partnership (without the United States)

Session 9: Trade Developments – Rest of the World

Speakers: John McKenzie, Brian Cacic, Junko Suetomi, Weng Keong Kok, Alessandra Machado, Virusha Subban

Topics discussed:

  • Canada
  • Japan
  • Brazil
  • South Africa

The post Multijurisdictional: 2021 Virtual Global Trade Conference appeared first on Global Compliance News.


To date, the No More Ransom repository of ransomware decryptors has helped more than 6 million victims recover their files, keeping nearly a billion euros out of the hands of cybercriminals, according to a Monday release. Launched five years ago, No More Ransom is maintained via cooperation between the European Cybercrime Centre and several cybersecurity and other types of companies, including Kaspersky, McAfee, Barracuda and AWS. Its purpose is to keep victims from handing over the cash that helps fuel more ransomware attacks, according to Europol. “The general advice is not to pay the ransom,” No More Ransom advises. “By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.” Instead, the group directs victims to their Crypto Sheriff tool. There, victims can enter either the URL, onion or Bitcoin address given by the attacker to pay the ransom. The tool searches the No More Ransom database, where the offerings have grown from an initial four decryptors back in 2016 to the current roster of 121 tools to decrypt 152 ransomware families. It’s also free and available in 37 languages, according to the group. If no decryptor is available for a given ransomware infection, keep checking back: No More Ransom regularly adds new unlock tools. Don’t Pay the Ransom: Here’s Why Ransomware victims are increasingly reluctant to pay ransom demands. A Threatpost poll from June found 80…


By Michael Parisi, Vice President, Business Development & Adoption, HITRUST

Breaches, ransomware, and other cybersecurity attacks are often introduced through third-party vulnerabilities. Underscoring this high degree of risk, the Ponemon Institute reports, “Over half of organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information.”

All vendors are considered third parties, but not all third parties are vendors. Third parties can be any partner with whom your organization exchanges data or shares network connectivity – including through internet portals. Third-Party Risk Management has always been challenging in healthcare and is even more difficult now with an ever-increasing level of information security threats, along with the added demands caused by COVID-19.

“Over half of organizations have experienced
a data breach caused by third parties.”

Source: “A Crisis in Third-Party Remote Access Security,” 2021 report conducted by the Ponemon Institute

COVID-19 Conditions May Have Increased Risk Exposure

Third-Party Risk Management Venn Diagramm
As unprecedented events unfolded in response to the pandemic, healthcare organizations took extraordinary measures to serve their communities by quickly ordering test kits, treatment materials, medical supplies, personal protective equipment, and more. In many cases, these urgent demands forced short-circuiting the usual, more thorough third-party vetting and evaluation processes. In addition, requirements to capture, store, communicate, and report both patient and business operations information – sometimes to and from temporary remote locations such as parking lot tents – added an unprecedented layer of complexity and vulnerability to third-party information security and management. The proliferation of TeleMedicine collaboration through virtual networking introduced yet another risk factor where shared data could be compromised.

Because vendors were fast-tracked during a time of need and PHI sharing started happening in new ways, healthcare supply chain ecosystems may now include business partner vulnerabilities that pose residual threats that organizations do not even realize are present. The most prudent approach today is for healthcare organizations to look closely at the current risk profile of all their third-party relationships.

Proactively Addressing the Current State of Third-Party Risk Management

Protecting sensitive patient data requires close teamwork because of the mutual dependencies between large hospitals, smaller care facilities, physicians, and other care specialists, as well as pharmacies, medical suppliers, and supply chain partners. Because of this heavy collaboration, healthcare professionals must provide quality information protection assurances to each other to safely conduct business.

Now that healthcare is slowly returning to a more normal state of operations, it is an ideal time to go back and identify, assess, and manage third-party risk – some of which may have been introduced during the early days of the pandemic. This proactive process includes understanding the inherent risks associated with third-party relationships and obtaining appropriate, comprehensive, and transparent assurances that address those risks. In fact, under the HIPAA Omnibus Rule, some of the Privacy Rule and all of the Security Rule enforcement now apply directly to Business Associates and their subcontractors. This increase in shared breach requirements and compliance reviews means that Covered Entities have ongoing responsibilities to review Business Associate compliance and include appropriate liability protections in their third-party agreements.

Solidifying TPRM Programs Adds Immediate and Long-Term Benefits

Enhancing information risk management programs is a responsible and fiscally sound strategy. According to the HIPAA Journal, based on an IBM Security report published in 2019, the average cost of a data breach in the healthcare sector is $6.45 million, the highest cost of any industry. Using the latest industry best practices to address and manage information exchange within and between third parties reduces threats, adds peace of mind, and establishes a solid foundation for the future. With a strong third-party risk management program in place, it is far easier to perform due diligence activities and more confidently add vendors, suppliers, and business partners going forward.

Introducing… The HITRUST Assessment XChange

Whether your TPRM is part of an existing Governance Risk Compliance program or operates as a stand-alone function, chances are you can use additional resources to help ensure that business partners are not adding risk into your data management systems, and to identify current risk levels of which you may not be aware. The HITRUST Assessment XChange™ (The XChange) is a managed service offering designed to augment, complement, and extend an organization’s risk management program. Under your guidance, the XChange team will assume much of the administrative burden of working with your third-party network to evaluate levels of risk and obtain the appropriate levels of assurances. By relying on the HITRUST Assessment XChange to streamline and simplify third-party risk management tasks, your risk management team will have far more time to devote to more strategic activities.

To further explore strategies that cost-effectively enhance Third-Party Risk Management programs, visit HITRUST Booth #7401 at the HIMSS Global Health Conference & Exhibition in Las Vegas, August 9-13th.

Schedule a meeting with HITRUST at HIMSS.

For more information about HITRUST Assessment XChange, or any of the HITRUST information protection solutions – Call: 214-618-9300 or Email:

For more about the HITRUST Assessment Exchange.

About the Author

michael-parisi-thumbMichael Parisi, Vice President of Business Development & Adoption, HITRUST

Michael Parisi has led over 500 controls-related engagements and has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure, and customized AT-101 engagements. Michael is deeply involved with helping customers leverage the advantages of the HITRUST Assessment XChange for third parties. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS, and state-specific standards. He is an active member of ISACA and IAPP.

The post Your Healthcare Third-Party Risk Management Program May Be Overdue for a Check-Up appeared first on HITRUST Alliance.


Zimbra webmail server has two flaws that could let an attacker paw through the inbox and outbox of all the employees in all the enterprises that use the immensely popular collaboration tool, researchers say. In a Tuesday writeup, SonarSource called it a “drastic” situation, given Zimbra’s popularity and the highly sensitive nature of the scads of messages that it handles. According to Zimbra’s site, its email and collaboration tools are used by over 200,000 businesses, over a thousand government and financial institutions, and hundreds of millions of users to exchange emails every day. “When attackers get access to an employee’s email account, it often has drastic security implications,” according to the report. “Besides the confidential information and documents that are exchanged, an email account is often linked to other sensitive accounts that allow a password reset. Think about it, what could an attacker do with your inbox?” Well, they’d freely romp through accounts, for one. SonarSource researchers discovered two vulnerabilities in the open-source Zimbra code that can be chained together to give attackers unrestricted access to Zimbra mail servers and to all sent and received emails of all employees. Malicious Email Could Carry Crafted JavaScript Payload Discovered by Simon Scannell, a vulnerability researcher at SonarSource, the first flaw could be triggered just by opening a malicious email containing a JavaScript payload. If a victim were to open such a riggedd…


There are three new, unpatched zero-day vulnerabilities in Kaseya Unitrends that include remote code execution (RCE) and authenticated privilege escalation on the client-side. The Dutch Institute for Vulnerability Disclosure (DIVD) on Monday issued a public advisory warning that the service and clients should be kept off the internet until there’s a patch. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery technology that’s delivered as either disaster recovery-as-a-service (DRaaS) or as an add-on for the Kaseya Virtual System/Server Administrator (VSA) remote management platform. The flaws are in versions earlier than 10.5.2. Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities. —DIVD advisory DIVD experts disclosed the three flaws last week. DIVD Chairman Victor Gevers told BleepingComputer that it’s only found a small number of vulnerable servers, but those vulnerable instances are located “in sensitive industries.” Gevers explained the advisory was originally shared with 68 government CERTs as an amber alert under a coordinated disclosure. One of the recipients went on to share it with an organization’s Financial Services service desk. From there, an employee published DIVD’s amber alert on an online analyzing platform, where it became public. “An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared…


Apple patched a zero-day flaw on Monday, found in both its iOS and macOS platforms that’s being actively exploited in the wild and can allow attackers to take over an affected system. The memory-corruption flaw, tracked as CVE-2021-30807, is found in the IOMobileFrameBuffer extension which exists in both iOS and macOS, but has been fixed according to specific device platform. Apple released three updates, iOS 14.7., iPadOS 14.7.1 and macOS Big Sur 11.5.1 to patch the vulnerability on each of the platforms Monday. Exploiting CVE-2021-30807 can allow for threat actors “to execute arbitrary code with kernel privileges,” Apple said in documentation describing the updates. “Apple is aware of a report that this issue may have been actively exploited,” the company said. Apple addressed the issue in each of the updates with “improve memory handling,” the company said. iOS devices that should be updated immediately are: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Though Apple attributed the discovery of the bug to an “anonymous researcher,” a security researcher at the Microsoft Security Response Center (MSRC) came forward separately on Monday and tweeted that he had discovered the vulnerability some time ago but hadn’t yet found the time to report it to Apple. “So, as it turns out, an LPE vulnerability I found 4 months ago in IOMFB is now patched in iOS 14.7.1 as…